More Related Content Similar to Ultimate Hack! Layers 8 & 9 of the OSI Model (20) Ultimate Hack! Layers 8 & 9 of the OSI Model1. Ultimate Hack
Manipulating Layers 8 & 9 [Management & Budget] of the OSI Model
Rafal M. Los ...aka „Wh1t3Rabbit“
AtlSecCon – March 201 1
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
2. Hi …I’m the Wh1t3 Rabbit
Twitter: “Wh1t3Rabbit”
Blog: http://hp.com/go/white-rabbit
Practical Experience?
•IT since 1995
•InfoSec since 1999
•Built & led AppSec Program in Fortune 100
•More years doing then talking
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
3. Rules for this talk
(seriously)
CAUTION: The contents in 1. Participate
this talk may make you
uncomfortable as an
2. Share your thoughts
information security 3. If you share, be honest with your
professional. answers
4. There is an assignment at the end…
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
4. A riddle:
What does an Information Security
team DO?
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
5. Does senior
management respect
and support
Information Security‟s
vision & efforts?
…or just deal
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here with you?
6. Our Goal as InfoSec Professionals
(what we tell ourselves)
•“secure the business”
•“reduce risk”
•“deploy security measures”
•“protect the company”
•“keep threats out”
6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
7. Our Goal as InfoSec Professionals
When management hears this…
•“secure the business” from what?
•“reduce risk” of what?
•“deploy security measures” why?
•“protect the company” from what?
•“keep threats out” of where? (and why?)
7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
8. Layers 8 & 9
“the secret layers”
Management Budget
necessary for… necessary for…
•Organizational buy-in •Required for staff, gear
•Push change from the top •Persuasion
•Create shift in policy & culture •Education
•Credibility •Seed effort
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
9. So … you NEED
Management &
Budget
…but how do
you manipulate
them to your
ends?
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
10. Getting what you want at
Layers 8 & 9
My 7 Secrets to Success
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
11. Align to the Business
What does your business do?
Objective Situation
Understand completely Many IT Security Pros do not know business drivers
and comprehensively • Align to your business or organizational goals
what your organization – Compliance with government regulations may be a goal
– Expanding into new markets may be a goal
does, how it makes
– Developing a new prototype may be a goal
money, and how it
• Drive security like it was a „business‟
evolves.
– Understand cause:effect of security policy & vision
– Don‟t spend $10M to protect $100k
11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
12. Walk a mile...
Go work as a business analyst
Objective Situation
If you want to Understand the situations you are working against
understand why business • Security must truly understand the motivations that
analysts do drive business decisions and employees
strange/insecure things – – Security analysts must work in the business
– Understand „how it works‟ and what drives non-IT Security
go be one of them for a
– “Feel their pain”
while.
• I promise you will have a different outlook
– Understand the business, protect its assets rationally
12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
13. Carrot & Stick
Rewards balance consequences
Objective Situation
Neither rewards, or You can lead a horse to water, even put him IN water…
consequences alone will • Do better than “because security says so”
reach your ends; a sane – People avoid you because they can and will get away with it
– Policy is a weak motivational tool
balance must be found
between push and pull of • Offer incentives to make „secure‟ choices
– Rewards, recognition, positive reinforcement
your security goals.
• Severely punish blatant detractors
– Approve severe punishment (firing?) through HR, enforce it.
*Blog post http://h30501.www3.hp.com/t5/Following-the-
White-Rabbit-A/The-Path-of-Least-Resistance/ba-p/22011
13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
14. Advisory vs. Operations
Segment your security practice
Objective Situation
Separate our the ‘advise’ Split the organization to optimize efficiencies
from the ‘do’ parts of • Operational tasks move out to small operations team
Information Security to – Managing anti-virus, patches, IDM, firewall rules, etc
– Manage the „doers‟, validate with small nimble team
achieve higher credibility
and better resource • Shift majority of team to advisory capacity
– Much like internal consultants- provide sound advice, let others do
utilization.
– Formulate & dictate policy, push to ops teams to implement
• Great cost efficiencies here, dynamic efficiencies
14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
15. Risk, Compliance, Legal
Meet your new best friends
Objective Situation
Align with the 3 most IT Security is not unlike legal, risk and compliance
powerful parts of any • Get to know the practices of these departments
organization; adopt their – Understand their motivations and power capabilities
– Understand their struggles with reaching goals
methods and leverage
o Offer technology-based approaches to their ills
each others capabilities
• Leverage each others strengths to drive key strategy
and expertise.
– What is good for me, is good for „we‟
– Security‟s goals can often be accomplished by legal‟s requirements
15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
16. Business-driven ’security’
Business must need it
Objective Situation
Allow your business to You CAN NOT force security onto an organization
come to the conclusion • Provide advisory assessments of IT risk to the
that it requires your organization as appropriate
assistance to meet – Define the appropriate format for your industry, market
– Make reports readily available to customers, auditors
business goals and
– Allow constituents to choose from approved remediation options
customer demands.
• Offer a lower-cost, consolidated alternative to
continually failing audit, scrambling to comply
16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
17. Leverage Accountability
“Just sign here to accept risk”
Objective Situation
Few things are more Accountability in a visible way is fundamental
powerful than the risk of • Provide objective assessment of risk
being held accountable – Research, then file a comprehensive risk profile report
– Discuss the impact, cost, and assessed risk to the organization
for your actions; advise
on risk and allow a • Give leaders the ability to choose
– Accept risk on behalf of the organization
business owner to accept
o Sign off on the risk (literally) and get reported
that risk with a simple – Remediate the risks
signature.
17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
18. Measure Yourself (KPIs)
How do you know you‟ve succeeded?
Objective Situation
There are no more than 5 Can you measure security‟s true impact?
KPIs you must measure • Most organizations have lots of data & metrics
against; KPIs enable a – Metrics rarely tell a big picture
– Spreadsheets, dashboards are often too complex and technical
non-technical
conversation with • Do your KPIs pass the “so what?” test?
– Does it impact the business?
management &
– Does it impact revenue?
leadership. – Are you improving proportionately to fiscal spend?
18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
19. The Most Important Answer
If you want to shock your CIO, answer this question
When can we stop
spending money?
When have you achieved a „good enough‟ state of IT risk?
•Who defines and accepts those parameters?
•How does security contribute to „good enough‟?
•Can you tell the CIO when to stop spending?
19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
20. These are my secrets to succeeding
They‟ve worked for me, they may work for you
Try this at home ...but make sure you are rational.
• There is no silver bullet, we‟re not baking cookies
• Every organization is different, approaches vary
–Some assembly required, batteries not included
–No warranties, no returns
20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
21. A smart poker player
knows…
•when to hold
•when to fold
•when to walk away
•when to run like hell.
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
22. Thank you
Did you learn something?
Rafal Los
© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
Twitter.com/Wh1t3Rabbit
contained herein is subject to change without notice. Confidentiality label goes here
HP.com/go/white-rabbit